Simplocker Android malware, New strain of criminal software asks for payment to unlock files on SD cards, but is so far confined to Ukrainian region
Simplocker is targeting Android owners in the Ukraine. Photograph: ESET
A fresh strain of criminal software has been discovered encrypting the data of Android smartphone owners, then demanding payment to unlock it.
The Simplocker ransomware scans victims’ SD memory cards for certain files, including images, PDF’s and other documents, and audio files, before locking them using the AES encryption standard, according to security company ESET.
It’s the first malware found to be encrypting data on Android phones before demanding payment to decrypt it, according to a blog post by ESET’s security intelligence team lead Robert Lipovsky.
Simplocker asks for a payment of 260 Ukrainian hryvnias (£13) to decrypt victims’ files, directing them to the MoneXy transfer service.
The malware also sends phone information, such as the IMEI number, to a server controlled by the attackers, which is based on the Tor network. Tor uses encryption and sends communications through a number of difference servers to ensure it’s extremely difficult to track users.
In the case of the attackers, it makes their operation that much harder for law enforcement to track and shut down.
Should you be worried? Not yet, if you’re in the west. Lipovsky said that Simplocker appears to be solely active in the Ukrainian region; is not found on Android’s official Google Play Store; and is not currently widespread.
He added that the level of encryption used by Simplocker is significantly weaker than that of Cryptolocker, the aggressive Windows ransomware that global law enforcement authorities have been trying to shut down over the past week.
“While the malware does contain functionality to decrypt the files, we strongly recommend against paying up – not only because that will only motivate other malware authors to continue these kinds of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them,” Lipovsky added.
Various forms of Android ransomware have been uncovered in recent months. In May, security experts warned about a strain called Koler, which posed as a porn app. It then sent a message claiming to be from police, telling the user they had broken the law by watching indecent material, demanding they pay a fine of $300.
Yet Windows remains the number one target for ransomware. The Guardian reported this week that the Cryptolocker malware has infected as many as 50,000 computers in the UK alone.